Keystone may also want to look at respecting such annotations in their logging mechanism, i.e. if Django were properly annotating these data objects, keystoneclient could check for those annotations and properly sanitize the log output.

If not this exact mechanism, then something similar would be wise.

For the time being, it's also worth documenting in both projects that a log level of DEBUG will log passwords in plain text.

Nathan: keystoneclient doesn't get named releases like the services do, so there wouldn't be anything to backport. You should be able to run the latest version of keystoneclient (including middleware.auth_token) with any supported service release, however.

Add the ability to turn off logging from the session object and then
handle logging of auth requests within their own sections. This is a
very simplistic ability to completely disable logging. Logging more
filtered debugging can be added later.

This new ability is utilized in this patch to prevent logging of
requests that include passwords. This covers authenticate, password
change, and user update requests that include passwords.

We should write an OSSN for this so people are aware of the fact that passwords for users will be logged in Horizon if debug logging is enabled. Now that a keystoneclient patch has been merged, we will soon have a release that doesn't log passwords anymore. We should recommend using the newer keystoneclient as soon as it's available.

Tokens shouldn't be logged since a token could be gathered from a
log file and used. The client was logging the X-Auth-Token and
X-Subject-Token request headers. With this change, the X-Auth-Token
and X-Subject-Token are shown as "TOKEN_REDACTED".